The scope of the Sony data breach is growing, but the public focus continues to be on Sony’s actions following the breach, rather than on steps to prevent or mitigate events like these in the first place. As we noted earlier, this focus emphasizes a de facto burden-shifting, in which consumers bear the risk of using on-line or other services, and also are left to face the consequences of any resulting identity theft.

Sony last week announced that 77 million PlayStation and Qriocity accounts had been accessed by hackers in mid-April. This week, Sony discovered that an additional 24.7 million Sony Online Entertainment (SOE) accounts were compromised during the same timeframe. In the SOE breach, Sony confirmed that the compromised information included the bank account, credit card and debit card numbers of thousands of non-U.S. account holders.

It is now up to account holders to deal with the consequences. Sony’s response to the SOE breach has been to engage a third-party email distributor to send a Customer Service Notification. The notice places the onus on account holders to look out for email and other scams, to obtain credit reports, to consider contacting U.S. credit bureaus in order to place a “fraud alert” on their credit file, and to contact various federal and state agencies for information about preventing identity theft. This repeats Sony’s previous advice to its PlayStation and Qriocity users.

Meanwhile, the House of Representatives is seeking information from Sony about the situation. The Subcommittee on Commerce, Manufacturing, and Trade sent a letter to Sony with thirteen questions about the data breach. The letter primarily focuses on post-breach information, such as Sony’s delay in first notifying customers and authorities, and Sony’s investigation of the breach.

The public is still waiting for information about how consumer data was (or was not) protected by Sony. In its notice to SOE users, Sony stated that it does not believe that its main credit card database has been compromised because it is in a “completely separate and secured environment.” This begs the question: in what sort of “environment” was the remainder of the information (name, mail and email addresses, birthdate, gender, phone number, login name, etc.) stored? The notice also states that there is an “outdated database from 2007” that contains the bank account and credit and debit card numbers that were compromised.

Among all of the bad news, there was one encouraging development. Sony originally reported that the PlayStation and Qriocity breach include account passwords, which were not encrypted. This was particularly concerning, as on-line users may use the same password for different accounts, including those for on-line banking or shopping. In a blog post this week, Sony clarified that the account passwords, while not encrypted, were in fact “hashed.” Although different than “encryption,” hashing can be a reliable method of protecting password information. When a user first selects a password, the password is transformed by a function into a coded, or hashed, version of the password. Later, when the user attempts to log-on, the newly entered password is transformed by the same hashing function. The web site verifies that the result matches the coded version already stored on its server. In this way, the web site never needs to store the actual password. In addition, hashing is intended to be a one-way process, meaning that while hashing functions can transform a password into a coded version, they cannot transform the coded version back into its original form. This suggests that the hackers should not be able to determine users’ actual passwords, even if they have the hashed versions.

There has been much public discussion about what Sony knew, when it knew, and how soon it went public. Real progress will be made when measures to prevent such data losses are strengthened. Perhaps lessons learned from these events will help in those efforts.